Lucene search

GoogleOSV:GHSA-GXPJ-CX7G-858C

HistoryAug 09, 2018 - 8:18 p.m.

Regular Expression Denial of Service in debug

2018-08-0920:18:07

Google

osv.dev

5.5 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.4%

JSON

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.

CPENameOperatorVersion
debugge4.0.0
debugge3.2.0
debugge3.0.0
debuglt2.6.9
debuglt3.2.7
debuglt3.1.0
debuglt4.3.1

Name	Operator	Version
debug	ge	4.0.0
debug	ge	3.2.0
debug	ge	3.0.0
debug	lt	2.6.9
debug	lt	3.2.7
debug	lt	3.1.0
debug	lt	4.3.1

References

github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020

github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290

github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac

github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a

github.com/debug-js/debug/issues/797

github.com/visionmedia/debug

github.com/visionmedia/debug/issues/501

github.com/visionmedia/debug/pull/504

lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E

lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2017-16137